On 10th October 2023, darknet market vendor, WinstonWolf, posted on Dread explaining how he seemingly had been scammed by HugBunter. The post went over how HugBunter offered to create him a private vendor shop, under the alias /u/Ghost, and vanished. This would be the start of a year long controversy.

HugBunter is the creator of Dread forum. He's a prominent figure in the darknet, along with his co-administrator /u/Paris. He previously operated private vendor stores in the past but stopped doing so years ago.

Private vendor stores are sites that act similarly to markets but instead only have listings for one vendor.

This article will break down how HugBunter used the alias Ghost to sell around $300,000 worth of stores, then abruptly shut them down without refunding the vendors:

1. Confirming HugBunter is Ghost
2. Vendors and Funds Affected
3. Censorship of the Situation

Confirming HugBunter is Ghost

Who is Ghost?

On 23rd July 2023, the user /u/Ghost first created a post titled "Ghost Commerce: Private Vendor Stores - Start selling your goods on your own onion", offering private vendor stores. The first paragraph of the post:

Now that our demo is live, the time has come to offer our Private Vendor Store service publicly. The demo is currently in the testing stage to outline remaining bugs and establish anything further we need to accomodate for Vendors who are already on-boarded. We are beginning the process of deploying live sites and currently have a waiting list for taking on any new clients. Our stores have been tested and verified to be allowed to promote on Dread by the Dread staff.

Although this was Ghost's first post on Dread, the stores were "tested and verified to be allowed to promote on Dread by the Dread staff", and were advertised as being "the only stores approved by Dread staff". This is strange considering Ghost's non existent activity on the forum. Though, it's entirely possible, and later clarified by HugBunter, that Ghost is an alternative account for a well known member on the forum. What HugBunter left out was, Ghost is his account.

HugBunter is Ghost

In the original post that kickstarted this controversy, titled "This is Weird", well known vendor WinstonWolf makes it clear HugBunter was the user selling and providing the stores, and that he was asked to use /d/Ghost as a point of contact for anything related to the stores. Quotes from the, now deleted, post:

HugBunter messaged me over a month ago offering "limited spots for private vendor sites". He said he was reaching out to me for one of the coveted spots because I had a good long history here.

HugBunter asked that I keep his name from my announcements, and instead /d/ghost would be my point of contact. He wanted $10k to get the site up and running.

If this had been anyone but the legendary HugBunter, I would have ignored the message likely, Still, I asked that he send me a PGP signed message to confirm his identity, which he did and I confirmed the message. So I sent $2k to reserve my place, and intended to pay the rest within a week. He said that I would recieive a couple thousand dollars in Dread ads also, if I paid.

Read the full post.

The stores came with thousands of dollars worth of Dread ads, listing on Daunt and were advertised as "the only stores approved by Dread staff".

This section of the article should end here, as it's clear HugBunter is Ghost. Though, since HugBunter has denied being Ghost. This part of the article will continue.

HugBunter claims Ghost is not his alias:

Not my alias, I sold shops in the past and it was a mistake that brought great risk to myself and Dread, not making that mistake again and to associate me with these is dangerous.

I do not have time to be fucking about with vendor shops, its another reason I stopped doing so many years ago.

Not be behind the Ghost stores either, I gave my recommendation based on it being a respected member of the community, no conspiracy needed.

HugBunter claims Winstonwolf is confused about the whole situation. He says all he did was refer WinstonWolf to Ghost:

He (WinstonWolf) was referred and wrongly assumed. That referral also had to expose their original alias for credibility which they understood they cannot expose. The whole reason this became a problem is because I wasn't online when they had a problem and they assumed my referral was some scam attempt, when in reality I had no other involvement.

He's (Ghost) trusted under another alias (...) His reputation has shown that he has been able to operate monetary services without issues and also shut them down without exiting. That doesn't say he couldn't choose to do this in the future, but its the same as trusting market admins, who always abuse my trust too. It is worth nothing that the majority of stores I have saw are stores that did not come from my recommendation, vendors I personally haven't heard of.

Despite these claims, HugBunter provides public relations for Ghost. When an issue with the vendor stores arises, HugBunter reassures users that he has spoken to Ghost and that everything is fine:

Can confirm Ghost did contact us to tell us he needed to take all of the servers down and his reasoning is valid. Will stay in contact with him and try to oversee things.

He (Ghost) is good and I trust in his technical knowledge, but it would be wrong for me to give recommendations of anyone and of course I could never guarantee he wouldn't exit scam so it was a poor decision and I decided to not involve myself further. I can confirm though he contacted us yesterday and explained what was happening, will try to oversee things today if I have time.

Although HugBunter claims WinstonWolf is mistaken, many other popular vendors have stated that HugBunter was the user creating their stores:

More vendors.

Even after HugBunter's claims, WinstonWolf still stated that HugBunter was the user creating his store.

One vendor, NextGeneration, posted his full year long private conversation with HugBunter:

The conversation:

The conversation documents HugBunter's process of creating the stores. Starting from 12th October 2022 and ending on 18th August 2023.

The store's footer:

1 prominent user and 2 vendors have privately confirmed to me that Ghost is HugBunter.

Vendors and Funds Affected

30+ vendors were sold stores by HugBunter. Vendor Freestate_EU, who was sold a store, estimates HugBunter was paid $300,000 in total for the stores.

This post has now been edited, and all the information removed, at the request of "Ghost":

I edited the post at the request of the operator who was pretty mad and cursed me out.

Freestate_EU's store was priced at $10,000, which came with a guarantee of at least 4 years of uptime. He paid $2,500 initially and then another $2,500 after 1 month of uptime. If the store had reached the 3 month uptime mark, he would of paid another $5,000. They were not cheap, which was even acknowledged by the store's promotional post.

Other vendors had different payment structures:

some paid 10k upfront, but everyone made payments of several thousand dollars for a product that was supposed to last at least 4 years.

Currently all the stores are offline, though "Ghost" is still online. He claims to have spent all the money on servers:

All setup costs paid to servers this was not for making money i lost money to this project.

The stores have been offline for 2 months.

The vendors paid thousands for their stores. In return they got 2 months of uptime, followed by 2 months of downtime and no refund. Despite all this, "Ghost" claims:

I did not do to anything wrong

Many vendors have publicly stated that they feel "Ghost" scammed them:

More vendors.

Some vendors have publicly vented their frustration with HugBunter:

These posts and comments are now erased.

Censorship of the Situation

Before continuing, it's important to have a basic understanding of how deleted comments are handled on Dread. When a comment is deleted it appears as:

This process allows people to see that a comment was made, but it's content is deleted.

Nearly every comment linking HugBunter to Ghost doesn't follow this process. Instead they are completely erased from the platform. HugBunter claims:

If a comment is erased it can only be done by request of the author when they want their removed comment to not be associated to their username

These are just a few of the censored comments:

More comments.

These are, apart from the comment that HugBunter claims "was asked to be erased by the author", comments from authors who didn't request erasure. Even comments from deleted accounts, which can't request erasure.

HugBunter claims that no censorship occurred, and that a single comment was erased, which resulted in the child comments below it to be erased:

They weren't top level comments, otherwise I would see them in the log. The only erased comment is a top level comment which shows 13 sub comments were under it, which means the other comments would have been part of that reply chain.

This isn't the case. Every mention of HugBunter in Ghost's announcement post has been erased by Dread staff.

In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails’s operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.

According to their blog post, this is a natural outcome of the Tor Project and Tails' shared history of collaboration and solidarity. 15 years ago, Tails' first release was announced on a Tor mailing list, Tor and Tails developers have been collaborating closely since 2015, and more recently Tails has been a sub-grantee of Tor. For Tails, it felt obvious that if they were to approach a bigger organization with the possibility of merging, it would be the Tor Project.

intrigeri, Team Lead Tails OS:

Running Tails as an independent project for 15 years has been a huge effort, but not for the reasons you might expect. The toughest part wasn't the tech–it was handling critical tasks like fundraising, finances, and HR. After trying to manage those in different ways, I’m really relieved that Tails is now under the Tor Project’s wing. In a way, it feels like coming home

Isabela Fernandes, Executive Director, The Tor Project:

By bringing these two organizations together, we’re not just making things easier for our teams, but ensuring the sustainable development and advancement of these vital tools. Working together allows for faster, more efficient collaboration, enabling the quick integration of new features from one tool to the other. This collaboration strengthens our mission and accelerates our ability to respond to evolving threats

Fish was a smaller market that was launched on 8th March 2023 as GoFish.

As usual, other markets were quick to accept refugees after Fish's departure.

/u/Byt3s, the lead moderators of Fish, announced the market had exit scammed in a post titled "The Fish Market is Officially Gone - A Difficult Announcement":

As I'm sure you've all noticed, the market has been down for around 5 days now. When I first saw it had gone offline, I promptly reached out to /u/GoFish (the admin) on Jabber to let him know. Initially, I suspected it might be a DDoS attack that took the main onion down, as we've been a constant target since the superlist announcement. I imagine a lot of other markets face this threat too.

However, this time was a bit different, and unfortunately, for the worse. Some time after the main market onion went down, I became increasingly concerned when the mod panel and private mirrors I had access to also went offline. This was unusual, as those mirrors are typically still accessible even during DDoS attacks. That was my first red flag. At this point, I still hadn't heard back from the admin, and I was left trying to make sense of the extended downtime.

Then I checked my Jabber and that's when I got the confirmation that the market won't be returning. The message I received was extremely vague and It felt like a final goodbye, which was shocking given the progress we’ve made recently. For operational security reasons, I don’t log any of my Jabber messages and wouldn’t feel right sharing it publicly, but the gist was that it seemed a VM server may have been compromised. GoFish mentioned he couldn’t get the volumes back online without potentially exposing encryption keys to a MiTM attack. He followed that up with an apology that it had to end this way.

Read the full, 1000+ word, post here.

Unrelated News

It appears Darknetlive's server has gone offline:

Lin was scheduled to go to Singapore via New York, when he was arrested by the police in New York. The arrest was part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation.

If convicted, Lin faces:

• A mandatory minimum penalty of life in prison for engaging in a continuing criminal enterprise.
• A maximum penalty of life in prison for narcotics conspiracy.
• A maximum penalty of 20 years in prison for money laundering.
• A maximum penalty of five years in prison for conspiracy to sell adulterated and misbranded medication.

Lin's choice to extort vendors and buyers was mentioned in the indictment:

The defendant’s greed and disregard for others was further demonstrated by his alleged extortion attempt during the platform’s final days.

Identifying Incognito's Servers

Law enforcement executed a search warrant on 20th July 2022 and 2nd August 2023 on several of Incognito's servers. These servers hosted the DDOS protection frontend and data backend. Law enforcement didn't specify how they located the servers.

Another search warrant was executed on 16th August 2022 and 5th January 2024 on additional servers. These servers hosted the cryptocurrency backend of the market.

During the time that the 20th July 2022 search warrant was executed, both servers were briefly taken offline. At the time they were taken offline, law enforcement observed that Incognito went offline.

Based on a review of Incognito's backend, law enforcement officers further observed that it was connected to another server, the cryptocurrency backend, via SSH Tunnels. Law enforcement found transaction hashes matching several orders done by other law enforcement officers.

Incognito's Statistics

In its more than three years of operations, Incognito has transacted approximately $80 million in cryptocurrency, and by 2nd August 2023, Incognito had 255,519 users and 224,791 orders.

Incognito's cryptocurrency statistics, as of January 2024, were:

• Bitcoin deposited was 1,316 BTC ($36,895,586).
• Bitcoin withdrawn was 1,303 BTC ($36,431,574).
• 265,375 Monero transactions consisting of 181,918 deposits and 83,457 withdrawals.
• Monero deposited was 296,094 XMR ($46,728,991),
• Monero withdrawn was 294,634 XMR ($46,482,976).

The total revenue, as of 9th January 2024, was approximately $83,624,577, which yielded at least approximately $4,181,228 from its 5% commission. Incognito's 2022 revenue was approximately $14.8 million. In 2023, it was approximately $65.5 million.

How Lin was Caught

Following the Money

As of January 2024, approximately 58 deposits were made from Incognito's Bitcoin wallet to a separate wallet. Let's call this wallet "Pharoahs-Wallet".

The vast majority of Pharoahs-Wallet's funds, approximately 123 BTC ($3,351,343), came from Incognito's wallet. After receiving funds from Incognito's wallet, Pharoahs-Wallet transferred it elsewhere. Specifically, on 25th March 2020 through 1st October 2023, Pharoahs-Wallet received approximately 77 deposits of Bitcoin, totaling approximately 126 BTC, and then transferred all of it to other wallets.

After reviewing the blockchain, law enforcement learned that Pharoahs-Wallet conducted at least four transactions with Namecheap. In particular, Pharoahs-Wallet paid for, or partially paid for, at least four domains:

• A domain which provides real-time status updates for popular darknet marketplaces and services - darknetlive.com (assumption).
• A domain which promoted a now defunct illegal darknet market.
• A domain for a website associated with Incognito's projects - incognite.com.
• An additional particular domain - rs.me (assumption).

This article assumes "an additional particular domain" is rs.me. Lin's personal blog.

Lin purchased rs.me, on 25th March 2022, using a Namecheap account in his name. He used funds from both Pharoahs-Wallet and an account hosted by a cryptocurrency exchange. The total price of rs.me was approximately $20,000, the vast majority of which was paid for from the exchange, but Pharoahs-Wallet also transferred approximately $22.09 to Namecheap to complete the purchase.

Lin sent multiple transactions from Pharoahs-Wallet to a cryptocurrency swapping service. 30-60 minutes later his personal cryptocurrency exchange account received similar amounts:

• 26th July 2021 - 0.04 Bitcoin ($1,528)
• 15th May 2022 - 1 Bitcoin ($29,745)
• 17th May 2022 - 1 Bitcoin ($30,571)
• 31st May 2022 - 2 Bitcoin ($63,432)

Law enforcement also identified another cryptocurrency exchange account registered in Lin's name. It received approximately $4.5 million dollars of cryptocurrency. Lin's employment history is not consistent with the large amount of assets in his cryptocurrency accounts, and Lin's bank statement indicated that he had over $1 million in his accounts.

Lin also created Antinalysis, which was designed to defeat crypto money laundering countermeasures.

Following the Skills

Law enforcement identified Lin's GitHub account. Where he describes himself as a “Backend and Blockchain Engineer, Monero Enthusiast.” Lin’s GitHub account has approximately 35 publicly available coding projects. Collectively, these coding projects indicated that Lin has significant technical computing knowledge, including knowledge necessary to administer a site like Incognito.

The coding projects include operation of cryptocurrency servers and web applications. Lin's GitHub account includes, for example, the following coding projects:

• PoW Shield - a tool to mitigate DDoS attacks.
• Monero Merchant - a software tool that allows online merchants to accept XMR for payment.
• Koa-typescript-framework - a webframe software program used as a foundation for web applications. Incognito is built on Koa and Typescript.

Law enforcement officers identified a YouTube video that contains an 15-minute interview with Lin regarding his “PoW Shield.” During the interview, Lin explained that there are various methods to stop a DDoS attack, including by increasing bandwidth and setting up “edge servers".

Following the Searches

Lin made multiple Google searches which aligned with his work on Incognito:

• “one pixel attack for fooling deep neural networks github”. The same day, he posted on Dread about one pixel attacks and linked to the GitHub page he visited earlier that day.
• “provable fair calculator”, “slot game terminology” and several searches that were related gambling. 13 days later, Incognito added new gambling features.
• "three-way conversation”. The next day Incognito offered a redesigned dispute system with “per-order three-way chats”.
• “cryptopunk generator js”, “array.reduce”, “get random in array” and “js random true false.” 20 days later, Incognito added "punk avatars - unique generated icons that represent you".
• On 19th July 2022 the FBI imaged one of Incognito's servers. To execute that search warrant, the FBI took Incognito's sever offline at approximately 23:30 UTC. 1 hour later, Lin searched for “pm2 crashed”, “view pm2 daemon logs”, “pm2 daemon logs” and “pm2 changelog”. PM2 is process manager software which helps its users manage and maintain applications online.

On 12th March 2020, Lin emailed himself a diagram of a darknet market:

About Lin

Lin regularly posted on Twitter and was very vocal about his support of Monero. His blog showcased the Monero and Tor nodes he hosted, along with his NFT collection.

Lin had been working since November at Taiwan's embassy in St Lucia, an eastern Caribbean nation that is one of the Asian island's few allies. He had applied to work as part of the embassy's technical corps in lieu of military service, mandatory for Taiwanese men. Expected to be discharged in July, Lin applied for leave and left St Lucia on 18th May.

3 months before he was arrested, he gave a presentation titled “Cyber Crime and Cryptocurrency” to a room full of St. Lucia police:

2 months before he was arrested, Lin tweeted:

Looks like @krakenfx is finally clamping down on Monero, received this email asking me to provide bank statements and source of funds after XMR deposit to Kraken. Traded large volume there for some time now, never had this issue before. I did advanced KYC and have OTC rights…

1 week before he was arrested, he posted on LinkedIn that he had become a certified user of Reactor, the crypto tracing tool sold by blockchain analysis firm Chainalysis. “I'm excited to share that I've completed Chainalysis's new qualification: Chainalysis Reactor Certification (CRC)!” Lin wrote in Mandarin.

Lin's last Twitter post shows a Chainalysis diagram of money flows between darknet markets and cryptocurrency exchanges. His market, Incognito, is shown in the diagram.

One of Lin's last posts on Dread, after announcing Incognito's extortion and exit scam:

Complaint

Other Articles About Incognito Market

MommaBear's statement about the situation:

At approximately 02:31 UTC on Tuesday May 21 2024, I discovered that both the cold storage escrow and joint-pocket (commission) wallets were completely empty. Both wallets had sent funds to a the same address that I do not recognise. As soon as I made this discovery, I went through and changed all of our server's access keys to mitigate any further damage. After doing so I reached out to dread staff to notify them of the situation.

MommaBear claims that co-administrator, /u/FatherBear, was the only other person that had access to the wallets, and believes the market was not compromised, rather his co-administrator has stolen the funds:

/u/FatherBear is the only other person that had access to these wallets and at this time I have no reason to believe they are compromised. At this time I can confidently say /u/FatherBear is in possession of all market funds. It is my belief that they got spooked with the news surrounding Pharoh and decided to take the funds and run.

The current status of the market:

At this time, all SuperMarket onions are shut down and orders are paused. I will update you all soon with more information.

Read the signed message here.

Previous Drainage of Wallets

2 months earlier, on 8th March 2024, somebody exploited a bug in SuperMarket that allowed them to drain all the funds in the market's wallet.

The market claimed the bug was in Monero's developer software, and not the market:

Approximately 1 hour after the bug had been made public it occurred again completely draining the market wallets. During our research we found that the bug was a result of the Monero RPC becoming overloaded and was not a bug in the market itself.

The administrators took full responsibility for the issue and refunded all stolen funds from their personal wallets.

The winding-down process began 7th May, and finishes in 6 months. Their support staff will be available for help throughout this period.

Key information regarding the closure:

• Effective immediately, all new signups and ad postings are disabled.
• On May 14th, 2024, new trades will be disabled as well.
• 6 months from now, on November 7th, 2024, the website will be taken down.
• After November 7th, 2024, funds left on the site may be considered abandoned/forfeited.

Their closing statement mentions that they think Monero's future is bright:

LocalMonero has been around for most of Monero's life. Fortunately, the Monero ecosystem has matured a lot over these years, and with the imminent launch of Haveno and other DEXs like Serai, atomic swaps, the coming addition of FCMP (full blockchain anonymity set replacing rings of 16) as well as the continuing and rapidly accelerating development of the Monero protocol, we're confident that Monero's future is bright, with or without our platform.

Other News: xmrguide.org is Shutting Down

On 15th May 2024, xmrguide.org's maintainer, /u/Thotbot, commented that he doesn't have time to maintain the site anymore.

The post, by /u/LeChacal:

We never get time to thank you for helping us in our smooth retirement. It was a lovely and memorable journey. Some people made crazy consipiracy theories about our retirement and none of those were true. We simply retired because we needed a break. Working with ASAP is the best thing happened for me on Darknet. Everyone in our team was honest and highly motivated. At this time, we're not planning to re-launch under the same name as well as a new name. Our team has retired. None of us are in touch with anyone. I believe everyone is enjoying the well-earned retirement. Everything sounds like a dream now.

Running a market isn't simple, its very tiring and stressful. We faced lots of challenges. If some of you remember about this incident(refer to /post/0b3875d047176101b005), it was the worst thing happened with us. Someone robbed all our funds and approx 4.6 millions were stolen at that time. We were left with nothing. Instead of pulling the plug, we paid everyone from our pockets. ASAP Market kept growing and we become one of the biggest market on the Darknet. At the time of retirement, we had around 10-12 millions in the escrow. You all know, we didn't run away with those funds, we retired with dignity as your happiness was everything for us. You can't be perfect but we tried our best to run a successful market and kept all our promisses.

The post addresses an incident that happened, on 9th August 2022, where a large undisclosed amount of crypto was stolen from the market:

Without going into graphic details of everything and without disclosing the exact amount of coins we lost in this fiasco. I only want to inform that we have lost a big amount of crypto. Most of the markets would have exitscammed after such loss but we're still here.

LeChacal reveals the amount was $4.6 million.

Their launch post highlighted the features:

• XMR Only Marketplace
• No account required to browse
• Shopping Cart system
• PGP Login
• Buyer pays fee
• Unique .onion access system
• Enforced E2E Encryption
• Employee accounts
• Quick replies
• Private jabber server
• Jabber alerts

The market uses adult actress Mia Khalifa in some of their logos:

White House Market Connection

DrugHub's launch post contained a signed message using the key found on /u/WhiteHouseMod's Dread profile. Around November 2023, all White House Market's mirrors came online with a message signed with WHM's official shop_master key:

White House Market team is back with a new project: DrugHub

Permanent link:
http://drughubrrr3vnzjcm4vhgdqlr5cfjhszkfhoamn3pas4a24ker7ybvqd.onion/

Mirror distribution system (clearnet):
https://drughub.su/

Mirror distribution system (Tor):
http://drughub4bb7f3r53m5r4j6virgues4a4mjkyrftt3syhc6kj2l6mzdqd.onion/

DrugHub master PGP key fingerprint: DA08FAC38F5731B31FC5A1EE0DF7792098838DF5

This message has been signed with White House Market master signing key:
Key fingerprint: 7384F2490795BD86B00EEFDCD3AEE04FC4C6007E
Key name: shop_master

One of WHM's mirrors: 76p5k6gw25l5jpy7ombo2m7gt4zppowbz47sizvlzkigvnyhhc26znyd.onion.

DrugHub staff later posted the same message on Dread in a post titled "Yes ? No ? Maybe ? Stay tuned". Read the signed message here.

Unique Features

DrugHub has a unique link distribution system. "Unlike regular mirror rotation everyone will get a truly unique mirror. No DDoS, always up, always fast":

The market also has enforced end to end PGP encryption, similar to WHM, and an internal jabber server that allows market users to communicate with each other and receive notifications.

DrugHub has few or no captchas.

About Nemesis

Nemesis Market was launched in 2021 and had over 150,000 users and 1,100 vendors. According to law enforcement, 20% of Nemesis's users were German.

Nemesis was known for it's unique captcha:

Before Seizure

On 20th March, one day before the seizure, Nemesis's administrator created a new account on Dread and warned users that the market had been seized. Shortly after appearing, he deleted most of his posts.

Nemesis market got seized by one of the law enforcement in europe
Please clean your house, they have access to all your info in the past two months

I will update you guys soon
Nemesis will be back soon

Block 835,572
Hash = 00000000000000000001d47bb253f3fed3175187cd8d918fb91f73947e0c0f42

Regards,
Francis

Read the signed post here.

After Seizure

On 21st March, an animated seizure banner appeared on the market and a press release was published.

Nemesis's administrator didn't like the animation:

End update

On 9th March, Incognito Market started to extort vendors and buyers. Just 1 week after they started to exit scam.

The same day, vendors started to report that an extortion message was being shown in their vendor panels.

The administrator of Incognito taunted users on Dread in a post titled "Bit update on Incognito":

Extortion Message

Incognito is threatening to publish private messages, transaction info and order details unless vendors pay a fee. The market claims they are going to publish a dump of 557k orders and 862k crypto transactions at the end of May. Unless vendors pays to get their own and customer data removed from the list. The message claims buyers will get access to this portal in a few weeks so they can remove their information too.

The market claims that any addresses sent using the auto encrypt function were saved in plain text and any expired messages and transaction ids were not really deleted.

The amounts they're asking for range from $100 to $20,000, depending on the vendors market level:

The vendors panel also shows which vendors have paid and which have not:

Some vendors decided to pay the extortion amount: